You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue expired on May 31st, 2020 following the current issue management policies & procedures, and lessons learned, for the project.
It will be superseded by a follow-up issue.
Summary
Prior to closing this issue, I implemented unit tests for the parsing/validation of randomly-generated processed event data that can be forwarded to Tier 2, the current application tier for the 3-tier application (in a follow-up issue, I propose that the functionality of Tier 2 should be moved to Tier 3, and that Tier 2 should allow clients forward raw security event data in JSON format instead).
Currently, clients can forward processed event data to the forwarding route(s) served by the application tier, employing a common JSON format for each type of forward-able event.
An instance of the application tier can launched with pulp run after building the project, with issues pending. Event forwarding requests can be executed against the application e.g. as follows.
In Control.Tier2, clients should be required to pass forwarded event data in the body ofPOST requests to the forwarding route(s) served by the application tier, i.e. instead of requiring clients to pass forwarded event data in the URL query string.
Conduct a SQLi vulnerability scan (using sqlmap) against the forwarding route(s) currently served by the application tier, before & after resolving the previous proposed action. Produce a summary report or each type of audited application-layer event (events by source, duration by feature, etc.).
Include the results of this vulnerability scan as part of the scheduled risk assessment for RELEASE-01/TIER-02.
Parsing/validation should be applied to the HTTP request headers of incoming requests to forward events (e.g. verifying that the request method is POST, Content-Type is application/json, Content-Length is correct w.r.t. the body of the request, and so on).
Text.Parsing.Forward
Unit tests are currently implemented for the parsing/validation of each type of forwarded event: an appropriate sample of randomly-generated forward-able events in URL format are currently parsed/validated when running pulp test.
The parsing/validation of forward-able events should be modified to accommodate the proposed changes to the event forwarding request format (or e.g. the body of the POST request should be appended as a query to the URL of the request, as a result of the parsing/validation of the raw HTTP request headers & body, without revising e.g.Text.Parsing.Forward{.event}.
Should clients be able to pass event data in both the URL query string or the body of the POST request?
Implement an additional test suite, where a sample of randomly-generated forward-able events are moreover are forwarded to a self-contained instance of the back-end web application as part of the test.
Currently, Data.Forward.Event is a data type modelling each type of forward-able event.
If the parsing of each type of forward-able event is unambiguous, can the event forwarding API of the application be simplified to e.g. serve only a single forwarding route for all types of events?
e.g. POST /forward (or POST/forward?{...}) instead of POST /forward/traffic, POST/forward/linux, ...?
Data.Forward
Currently, Data.Event is used to model the proposed common structure of forward-able events.
Data.Event
Does the common Event data type require further revision?
Description: A 5-tuple uniquely identifying the occurrence of the event, analogous to / inspired by the 5-tuple (sIP, sPort, dIP, dPort, protocol) identifying a flow record event.
sourceID: A unique identifier assigned to e.g. the remote hosts of forwarding agents for forward-able events. Analogous to sIP.
Should sourceID be derived using a unique identifier for the application instance as a UUIDv5 namespace UUID (e.g. analogous to a SilK sensor name)?
Should an applicationID (or sensorID) in configurations settings passed in the command line arguments of the entry point defined to launch the application tier?
sessionID: A unique identifier assigned to e.g. forwarding agents on remote hosts. Analogous to sPort.
Should sessionID be derived using sourceID as a UUIDv5 namespace UUID?
destinationID: A unique identifier assigned to the location that the forwarded event will be stored. Analogous to dIP.
Should destinationID be signed / verifiable from the e.g. sourceID and sessionID for the event (and moreover the applicationID from which they were derived)?
logID: A unique identifier for the resource, e.g. a DBMS instance / namely SQLite3 database file(s), that will store the forwarded event. Analogous to dPort.
schemaID: A unique identifier used to determine e.g. the table in a SQLite3 database file where the forwarded event will be stored (and the schema for this table). Analogous to protocol.
Should schemaID be signed / verifiable from an sourceID, sessionID, destinationID, logID (and applicationID) for the forwarded event?
Steps to Resolution
Summary
Tier 2
, the current application tier for the 3-tier application (in a follow-up issue, I propose that the functionality ofTier 2
should be moved toTier 3
, and thatTier 2
should allow clients forward raw security event data in JSON format instead).Contents
Example
Currently, clients can forward processed event data to the forwarding route(s) served by the application tier, employing a common JSON format for each type of forward-able event.
An instance of the application tier can launched with
pulp run
after building the project, with issues pending. Event forwarding requests can be executed against the application e.g. as follows.Control.Tier2
, clients should be required to pass forwarded event data in the body ofPOST
requests to the forwarding route(s) served by the application tier, i.e. instead of requiring clients to pass forwarded event data in the URL query string.POST
,Content-Type
isapplication/json
,Content-Length
is correct w.r.t. the body of the request, and so on).Text.Parsing.Forward
Unit tests are currently implemented for the parsing/validation of each type of forwarded event: an appropriate sample of randomly-generated forward-able events in URL format are currently parsed/validated when running
pulp test
.POST
request should be appended as a query to the URL of the request, as a result of the parsing/validation of the raw HTTP request headers & body, without revising e.g.Text.Parsing.Forward{.event}
.Currently,
Data.Forward.Event
is a data type modelling each type of forward-able event.e.g.
POST /forward
(orPOST/forward?{...}
) instead ofPOST /forward/traffic
,POST/forward/linux
, ...?Data.Forward
Currently,
Data.Event
is used to model the proposed common structure of forward-able events.Data.Event
Event
data type require further revision?Proposed Changes
Description: The feature extracted from an audited security event (e.g. flow record, Linux Auditing System, Windows Security, ...).
Data.Event.Identifier
Description: A 5-tuple uniquely identifying the occurrence of the event, analogous to / inspired by the 5-tuple (
sIP
,sPort
,dIP
,dPort
,protocol
) identifying a flow record event.sourceID
: A unique identifier assigned to e.g. the remote hosts of forwarding agents for forward-able events. Analogous tosIP
.sourceID
be derived using a unique identifier for the application instance as a UUIDv5 namespace UUID (e.g. analogous to a SilK sensor name)?applicationID
(orsensorID
) in configurations settings passed in the command line arguments of the entry point defined to launch the application tier?sessionID
: A unique identifier assigned to e.g. forwarding agents on remote hosts. Analogous tosPort
.sessionID
be derived usingsourceID
as a UUIDv5 namespace UUID?destinationID
: A unique identifier assigned to the location that the forwarded event will be stored. Analogous todIP
.destinationID
be signed / verifiable from the e.g.sourceID
andsessionID
for the event (and moreover theapplicationID
from which they were derived)?logID
: A unique identifier for the resource, e.g. a DBMS instance / namely SQLite3 database file(s), that will store the forwarded event. Analogous todPort
.schemaID
: A unique identifier used to determine e.g. the table in a SQLite3 database file where the forwarded event will be stored (and the schema for this table). Analogous toprotocol
.schemaID
be signed / verifiable from ansourceID
,sessionID
,destinationID
,logID
(andapplicationID
) for the forwarded event?Data.Event.Checksum
featureID
: a unique identifier for the feature (3-tuple) extracted from the event.instanceID
: a unique identifier for raw event from which the processed event was derived.type Content = ...
(in a follow-up release)?Data.Event.Period
Data.Event.EventType
** Extensibility **
ea0ac96
Separate module for commonData.Event.EventType
(success or failure).0288da6
Explicit type class in.Data.Event.Class
analogous toEventCategory
andEventID
Explicit type parameter with.EventType
type class constraintThe text was updated successfully, but these errors were encountered: